Posts Tagged: Security

Periodically, we turn over control of the CenturyLink Cloud blog to members of our certified technology Ecosystem to share how they leverage our platform to enable customer success. This week’s guest author from the Cloud Marketplace Provider Program is Chad Zerangue, CEO, at Simplicity Health Systems.

Health information is becoming increasingly difficult to manage as clinical and financial requirements and regulations become more stringent and partnering relationships become increasingly complex. This is especially the case when it comes to sharing information with ancillary services like pharmacies, radiology departments, medical laboratories, third-party providers, and specialist providers. The U.S. Department of Health and Human Services Office of Civil Rights (OCR) has a growing HIPAA Audit Program. HIPAA-covered entities will be required to make sure their systems are compliant with the HIPAA Privacy Act or face heavy fines, jail time, or both. Many small and medium sized healthcare businesses can’t afford multi-million dollar health information systems that larger hospitals and other large health entities can. In turn, they resort to non-compliant tools such as email, fax machines, eFax, RingCentral, Box, and DropBox. Simplicity Health Systems is disrupting that paradigm with a system that allows healthcare businesses to easily share information with their partners,...

October is National Cyber Security Awareness Month (NCSAM), an annual campaign sponsored by the National Cyber Security Alliance (NCSA). The overall goal, according to the Department of Homeland Security, which participates in NCSAM, is to “increase the resiliency of the Nation in the event of a cyber incident.”

Security threats are vast and constantly evolving, as should your businesses security strategy.

Today, security isn’t just about basic protection. Companies have far more to consider than they once did. Now, a security strategy is a holistic approach to protection, prevention, detection and response—and it needs to encompass all aspects of an adaptive security architecture.

Top Business Security Threats

Here’s an overview of what you need to consider when implementing, updating, and enforcing your security strategy.

External Threats

According to Cisco's Annual Security report, 100% of multinational companies show evidence that suspicious traffic was emanating from their networks and attempting to connect to questionable sites.

The speed at which external threats are increasing is exponential. There are millions of malware variations that enterprises must defend against, but it’s difficult for signature-based malware to keep up. There are more distributed denial-of-services (DDoS) attacks than ever before, and they vary widely; they can be highly targeted or generic, long...

Periodically, we turn over control of the CenturyLink Cloud blog to members of our certified technology Ecosystem to share how they leverage our platform to enable customer success. This week’s guest author from the Cloud Marketplace Provider Program is Matt Pley, VP Carrier & Service Provider Group, at Fortinet.

Cloud computing is becoming increasingly popular among enterprises looking to take advantage of quick deployment, unprecedented scalability, and cost savings. Both public cloud adoption and private cloud infrastructure, including virtualization and software-defined networking (SDN), are rapidly transforming data centers worldwide. Evolving your infrastructure means your security must evolve as well. If your security can’t keep up with the agile public, private, and hybrid cloud environments of today, gaps in protection will occur.
The Fortinet Security Fabric has integrated next-generation firewall (NGFW) technology with the CenturyLink Cloud platform to help businesses achieve end-to-end security without the complexity.

CenturyLink Cloud® announces new automation to deploy blockchain nodes for both NEM and Expanse services.

What is a Blockchain and why is the Technology Significant?

Blockchain is a catch-all term for a shared immutable cryptographic distributed database. In this special kind of database the data, commonly referred to as the 'ledger', is encrypted for security and permanently stored in numerous systems across geographically varied sites for diversity and redundancy.

One of the top struggles of IT departments today is making data frictionless to consume by their customers, internal and external, yet doing so in a secure manner. With today’s technology and services those goals can be difficult to balance. Blockchain technology, however, can mitigate these concerns. By storing the data in an encrypted 'ledger' that spans numerous servers across the globe the data will be readably accessible at all times and secured against malicious modification.

Periodically, we turn over control of the CenturyLink Cloud blog to members of our certified technology Ecosystem to share how they leverage our platform to enable customer success. This week’s guest author from the Cloud Marketplace Provider Program is Sid Prasanna, CEO of FlexSecure Inc.(www.flexsecure.co).

As cyber attacks and data breaches continue to make headlines, Security-as-a-Service offerings are becoming more valuable by the day. In the IT world, there is now a fundamental understanding that any business with an on-line presence needs to think about data security for both their business and their customers. FlexSecure has joined with the CenturyLink Cloud Marketplace to make the process of providing robust, solid, and capable authentication easy and painless for any customer, regardless of their technical abilities.

Solution Overview

The FlexSecure platform enables organizations of all sizes to choose and combine user authentication solutions based on the individual needs of their company. Companies and developers can add pin and passwordless security to their existing authentication mechanisms. Users can also change authentication methods in near real-time through an easy-to-use interface.

Layered Security

Some of FlexSecure's primary advantages are:

Custom user and device authentication: The authentication standards can be "turned up or down" to suit the needs of the users. For...

Recently a major vulnerability in the open source GNU C Library (aka ‘glibc’) was disclosed to the public. We discussed in a post on February 19th, how to tell if you were affected by the glibc vulnerability and how the CenturyLink Cloud platform was largely unaffected by the issue. For many users and providers, however, that was not the case. Despite a patch being issued in parallel with the disclosure, this revelation undoubtedly kicked-off a scramble in IT organizations of all sizes and industries to evaluate the level of exposure this vulnerability presents within their overall environment.

For most companies the ability to estimate quickly and accurately their level of risk to a vulnerability like glibc just doesn't exist. Even if a company has a robust threat evaluation process, IT personnel usually aren't equipped to answer the real question of whether the cost -- both tangible and intangible -- and risk associated with performing emergency maintenance and patching is a necessary or a worthwhile investment. Sometimes, a patch isn't available at the time of the disclosure and doesn’t have that option. Essentially, IT personnel can know that the company is vulnerable, yet there isn’t anything they can do about it. Either...

Popular media outlets are reporting a new vulnerability that was recently discovered in "glibc" which is a key component in most modern Linux systems. For background, you can read the details of the original discovery and the summary information on the risk rating for this vulnerability.

The CenturyLink Cloud® platform is largely unaffected by this issue. We have patched our DNS servers and the default DNS servers used by customer virtual machines on our platform. Customers running their own DNS servers on Linux-based virtual machines or customers not using the default CenturyLink Cloud DNS servers should apply the released patches to these servers as soon as possible.

For customers using the CenturyLink Cloud® Intrusion Prevention Service (IPS) your hosts already have detection enabled for any attempts to exploit this vulnerability. This particular signature is set to "detect only" rather than "block" in order to prevent unintended impact to production services. The IPS system will send you an alert using the configured mechanisms if there are any attempts at an exploit. We recommend you update the operating system on your servers according to your standard maintenance cycle. You can learn more by reading our IPS Anywhere post.

Let's face it, you never know when the need will arise to restore or recover your data. We’ve all “been there, done that”, or we have it in the back of our mind that we’ll need to do it someday. However, the odds are that the need to restore won’t be triggered because of a disaster or a hack, but more likely because of common reasons such as: system/user error, corrupt data, deleted data, new environments, a legal hold request, or a Governance, Risk Management, or Compliance (GRC) program which requires that the data must be restored as proof that the data is being retained.

Whatever the case may be, the key to understanding data restoration is knowing that data backups are taking place to begin with; which means planning, implementation, and execution. These tasks can be daunting and riddled with details, which is why they are typically assigned to an operations team (including the planning). However, there are other contributors to backup planning: business owners, product owners, application/database owners, etc., especially when they have a vested interest in restoring or recovering after an issue or event has occurred. Naturally, you want (and need) the correct data restored as soon as...

In today's growing market, we are seeing customers of all sizes migrate to the cloud for a variety of reasons. The cloud is certainly showing its value in the market, from the small developer looking for a free, disposable, or cost efficient server to large corporate customers looking to optimize IT agility and expenses.

Unfortunately, whether it's cloud or traditional managed services, many clients opt for nothing more than an anti-virus application and perhaps a firewall to cover their information security compliance requirements. However, as attacks grow more sophisticated and Advanced Persistent Threats (APT) grow more prevalent, using nothing but anti-virus and a firewall can leave gaps in your security profile, exposing you and your customers to unnecessary risks.

To get an idea of the risks you might face, consider this article - MySQL servers hijacked with malware to perform DDoS attacks. In this case, the attacker was able to upload a Trojan Horse application directly into a database, most likely through a SQL injection. An Intrusion Prevention System (IPS), unlike an anti-virus application, would have detected the SQL injection attempt and blocked it at the web interface. However, because the system was inadequately protected, the attacker slipped the Trojan Horse past...

Ensuring the privacy and confidentiality of data and that customer media is protected are strategic priorities at CenturyLink. That filters down into our chain of custody procedures when handling or transferring customer media and in our procedures for the sanitization and disposal of media. Here's a shocking observation from the National Institute of Standards and Technology (NIST) Special Publication 800-88, Rev.1 on a leading source of media vulnerability and what is needed to close the gap.

An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information. Media flows in and out of organizational control through recycle bins in paper form, out to vendors for equipment repairs, and hot swapped into other systems in response to hardware or software failures. This potential vulnerability can be mitigated through proper understanding of where information is located, what that information is, and how to protect it.

Part 3 of the Data Center series highlights the safety measures in place for digital and non-digital media in a CenturyLink data center. We've limited...

Cyber attacks on major corporations generate big news headlines, especially when they are successful. Threats to a data center from heat, humidity, water, or smoke aren't as flashy in terms of media coverage. They are, nonetheless just as real and, potentially, just as devastating. That's why you need a full array of environmental protections in and around your data center.

Any data center provider will affirm that they're required; and that all built-in protections fly under the radar until you really need them. To illustrate the point, on January 9, 2015 several news agencies covered a 3-alarm fire at a data center in Ashburn, Virginia. The massive building was under construction. The conflagration apparently had started on the roof. Fortunately, there were no injuries and firefighters were able to extinguish the blaze after about an hour.

This is Part 2 in a 3 Part series highlighting different protections inside and around a CenturyLink data center. This time we focus on the environmental safeguards that protect the facility, personnel, the infrastructure, and your data. If you missed Part 1 in the series, Data Center: Physical Security, you can find that topic right here.

Security is newsworthy. Recently, the IRS reported as many as 330,000 taxpayer accounts they believe were accessed by thieves. These security breaches often result in identity theft and the loss of critical corporate data, and can cost your company millions of dollars in unrecoverable expenses.

As a company, you need to be aware of IT security and your need to be protected, and you might be wondering where to start. This post is the first in a multi-part series about the various types of security products available and what they can do for you. These tools can be used to secure anything -- whether it's a home PC or laptop, an enterprise tech stack or even a hosted hybrid cloud solution. The same principles apply everywhere. Initially, we’ll begin with host-based security products.

Host-based security products are those that reside on or help to protect one host, server, or virtual machine. These host-based security products can be used at home or at work. The three fundamental types we’ll discuss here are Anti-Virus/Anti-Malware, firewalls and IDS/IDP.

Anti-Virus or Anti-Malware

Let’s start with Anti-Virus or Anti-Malware products. These products detect and protect against software viruses on your host. These harmful files get to your host through...

"Data security starts with physical security." Natalie Lehrer underscored that point in her Information Week article called A Guide to Physical Security. She's right. Protection of company personnel, facilities, and data begins with physical security. It's a strategic priority at CenturyLink. The "rubber meets the road" in the management and operation of the facilities. Our data centers earn a M&O Stamp of Approval Certification from the Uptime Institute. Joel Stone is responsible for Global Data Center Operations at CenturyLink. Here's his take on the importance of a data center receiving M&O Certification:

"Earning the M&O certification demonstrates the effectiveness of a data center’s management and operations, giving customers “peace of mind” by ensuring the facility that houses their critical IT functions has passed a rigorous, third-party audit to conform its practices to the highest of standards."

This is Part 1 in a three part series covering various aspect of data center security. Part 2 will discuss environmental protections. Part 3 will cover media protections.

Security Policies

It starts at the top. Physical security at a data center is governed by CenturyLink Corporate Security. This group oversees the policies, processes, and work rules ensuring that all data centers operate under a consistent set of procedures...

Periodically, we turn over control of the CenturyLink Cloud blog to members of our certified technology ecosystem to share how they leverage our platform to enable customer success. This week’s guest author from the Cloud Marketplace Provider Program is Tim Thompson of security and compliance provider Cavirin.

No business wants to be exposed to risk, fail an audit, or get breached. We can help. With Cavirin’s Automated Risk Analysis Platform (ARAP), now integrated within the CenturyLink Cloud Platform, you can elevate your security posture and add an extra layer of transparency and visibility in your cloud ecosystem, without any additional security staff or heavyweight security tools.

ARAP can help strengthen your infrastructure by continuously monitoring your CenturyLink Cloud environment as well as on-premise environment -- seeking out configuration changes as well as new devices and grading the associated risk based on security and compliance guidelines that you apply. Our platform paints a clear picture of the risk within your dynamic IT ecosystem, so that you stay proactive, well ahead of potential risks to security or gaps in compliance.

ARAP is agentless and automated, which means cost and time savings for you.

Third in a series of 3 blogs on Cloud Security

Now that we’ve covered cloud security fundamentals and how CenturyLink secures its cloud, for our final post on security this week, we turn to addressing managed services for cloud-based resources.

Many cloud users would like to assign the majority of security responsibilities to a third party service provider, particularly if the workloads and applications are not core to their business. Yet maintaining a high level of cloud security is essential to their business. Using a cloud service provider with expertise in cloud security makes sense; the right provider will have a breadth of experience and skilled employees in this specialized field. In-house cloud security expertise is increasingly hard to find, and even harder to keep.

Security for Managed Server and OS

CenturyLink Cloud offers managed services for operating systems and applications, such as a Windows Server running IIS, Active Directory, or Redhat Linux machines running Apache Tomcat. These managed services include built-in security features and security options. For example, the Operating Systems come with industry-standard anti-virus protection and regular virus and malware signature updates. It has to be hardened, e.g. by closing off ports, downloading and applying the latest security updates...

Best Practices for Service Providers: 2nd in a series of 3 Cloud Security Blogs

Welcome back to our cloud security week! Today our cloud security series has a focus on how CenturyLink Cloud manages its cloud environment, per the shared responsibility model described in this week’s earlier post and our recently released Cloud Security Overview.

With security as the top IT concern for many years, it’s no surprise the industry worked hard to alleviate enterprise customer security concerns. Today many organizations actually feel more comfortable with security in the cloud than they do with that of their on-premises data center. One customer noted, “when we were running our own datacenters, it was a full time job just to evaluate and install all the required security patches. We just didn’t have the ability to get to them all. That was creating risk.”

Let’s look at some best practices in critical areas under the cloud security domain, including APIs, user management, logging, and identity and access management.

Securing API Calls

Application Programming Interfaces (APIs) allow you to integrate your cloud-based application with myriad other systems regardless of their locations or platforms. They’re great for business agility, but they introduce an additional...

Security is paramount at every layer of the infrastructure stack, from the underlying hardware to the application itself. The advent of cloud and hybrid IT models has extended this conversation off-premise when creating cloud-enabled applications.

This is the first post in a cloud security series on topics ranging from the shared responsibility model to the intricacies associated with identity and access management, just to name a few. These posts build on cloud security best practices covered in our recently released ebook, 5 Best Practices for Cloud Security, and our detailed look at security in the CenturyLink Cloud Security Overview.

Today’s blog discusses the shared responsibility model and the least privilege principle. These two lay the foundation for most security decisions when adopting and leveraging cloud-based infrastructure resources. Without them, businesses using cloud may not know when or how to secure their environments or what actions authenticated users can take.

Shared Responsibility Model

The shared responsibility model describes an understanding between the cloud provider and its users, where the provider manages security of the cloud and users managesecurity in the cloud. Security of the cloud normally constitutes physical assets, underlying network and IT infrastructures, and foundational...

Periodically, we turn over control of the CenturyLink Cloud blog to members of our certified technology ecosystem to share how they leverage our platform to enable customer success. This week’s guest author from the Cloud Marketplace Provider Program is Margaret Walker from Cohesive Networks, a software-defined networking company.

Cloud computing effectively outsources a lot of the traditional data center operations and management roles and responsibilities. Cloud providers build data centers that are faster and cheaper than most enterprises. That's great but what does that mean for the way you, the cloud users, secure your cloud resources?

Public cloud is arguably just as secure as an on-premise data center, but getting data to the cloud uses the public internet. The public internet is just that - public. Your data in motion moves from your device, over the public internet, then into a secure cloud environment.

Shared Attention: Overlapping Security Controls Are Powerful

CenturyLink is excellent at building secure data centers, screening and vetting their staff, and automating security controls that support their compliance policies. With a solid cloud platform, you no longer have to worry about hardware and virtual security in Layer 0 – 3.

A new vulnerability was recently identified in the “bash” shell that a default component of most Linux operating systems deployed globally today. This vulnerability – dubbed “Shellshock” - is being compared to what was experienced earlier this year with the Heartbleed bug because of the widespread use of the impacted Linux operating systems.

Shellshock has been assigned the highest risk rating of “10” according to the Common Vulnerability Scoring System (CVSS). Why? The vulnerability can be exploited across the network, it does not require any authentication to exploit, and exploiting this vulnerability is simple.

If you have instances running a Linux operating system in CenturyLink Cloud data centers, you are likely affected. Our unmanaged customers are responsible for day-to-day configuration and deployment of these systems, so it is the customer’s responsibility to remediate any affected systems.

We recommend you apply the updates for this vulnerability as quickly as possible. This is especially important for those servers running Apache web servers as there are published exploits already circulating for Apache websites.

A dangerous bug was identified in a popular SSL/TLS library that powers many of the web servers in the internet. This bug – called Heartbleed – allows attackers to retrieve data stored in a server’s memory and access sensitive information.

CenturyLink Cloud wants you to be aware of one impacted area which was identified through our comprehensive assessment: OpenVPN software. The Linux distribution used for OpenVPN does not yet have an updated, patched package available to remediate this vulnerability. We are actively pursuing other solutions and will have an update on this issue shortly. [Please see update and action items below]

As this issue is related to OpenVPN client software, we believe it is important to detail what type of communication between users/machines may be affected by this vulnerability.

Control Portal system is *NOT affected, so there is no need to change your password to the web site.

Site to site VPN tunnels from customer premise equipment to CenturyLink Cloud datacenters are *NOT affected.

Site to site VPN tunnels between customer servers in a particular CenturyLink Cloud data center to other customer servers in a remote CenturyLink Cloud data center are *NOT affected.